For most organizations, least privilege is a policy problem. You define who needs admin access, remove it from everyone else, set up a just-in-time elevation workflow, and enforce it. Messy in practice, but conceptually straightforward.
For MSPs, it’s a different situation entirely. The same principle applies, but the scope, the risk, and the consequences of getting it wrong are all multiplied by however many clients are in the portfolio.
One Set of Technicians, Dozens of Environments
The core of what makes privilege management harder for MSPs is the technician access problem. A regular IT team manages admin rights for its own users within its own environment. MSP technicians need privileged access to many client environments simultaneously, often on short notice, often outside business hours.
The practical response to that pressure, at a lot of MSPs, is shared credentials. Admin passwords stored in a documentation tool or password manager, copied and pasted when a tech needs access. It works. It also means that every technician who has ever touched that credential is a potential entry point into every client environment it unlocks, including ones who’ve since left the company.
Rotating those credentials after a technician departs is the obvious fix, but in environments where one admin account might touch thirty client networks, that process is painful enough that it often doesn’t happen promptly, or at all. The 2025 Verizon Data Breach Investigations Report found that third-party involvement in breaches doubled year-over-year to 30%, and MSPs, sitting squarely in the “third party” category for every client they serve, are a significant part of that picture.
The better approach is eliminating the shared credential entirely. When technicians authenticate as themselves and receive just-in-time elevated access to specific systems for specific tasks, there’s nothing to steal, nothing to rotate, and a complete audit trail of who did what and where. That’s what Admin By Request’s EPM solution and Secure Remote Access are built to provide.
MSPs Are a Package Deal for Attackers
What makes an MSP a valuable target is also what makes a breach so damaging. A single compromised technician identity exposes every client environment that identity had access to, not just one organization.
Most organizations contain a breach within their own perimeter. MSPs don’t have that luxury. If the access controls aren’t airtight, one successful phishing attack on a junior technician can cascade across the entire client portfolio before anyone notices something is wrong.
CISA has explicitly flagged MSPs as high-value targets for this reason, noting that threat actors have repeatedly used MSP access to compromise downstream clients at scale. Reducing that exposure comes down to a few consistent practices:
- Removing standing privileges from technician accounts so there’s nothing persistent to compromise
- Requiring approval workflows for sensitive access, with automatic expiry once the task is done
- Scoping remote connections so technicians can only reach the systems relevant to a given task, not the entire client environment
None of that is complicated in principle. Doing it consistently across a large and growing client base is where the difficulty lies.
Compliance Stacks Up Fast
A single enterprise typically answers to one set of compliance requirements. MSPs often answer to several simultaneously, because their clients operate in different industries with different regulatory obligations. SOC 2 Type II, ISO 27001, NIST CSF, DORA, NIS2: depending on the client mix, an MSP might need to satisfy all of them, each with its own requirements around privileged access, audit logging, and access control documentation.
Cyber insurance has added another layer. Underwriters now routinely ask how MSPs manage privileged accounts, and the answers affect both coverage and premiums. “We use MFA and a password manager” isn’t the answer they’re looking for anymore.
Having a consistent, auditable privilege management system across all client environments makes compliance significantly more manageable. When every elevation is logged, every remote session is recorded, and access rights expire automatically, producing evidence for an audit stops being a scramble and starts being a matter of running a report.
The Client Endpoint Side
So far this is mostly about MSP technician access, but there’s a second layer worth addressing: the client endpoints themselves.
Many MSPs are responsible for managing and securing their clients’ workstations and servers, which means they’re also responsible for enforcing least privilege on end users across those environments. A client whose employees all run as local administrators is a liability, both for the client and for the MSP that’s supposed to be keeping things secure.
Removing local admin rights from end users and replacing permanent access with just-in-time elevation is one of the most effective things an MSP can do to reduce risk across a client base. It limits the damage any single compromised user account can do, reduces the foothold available to malware, and cuts down on the help desk tickets that come from users inadvertently breaking things with admin access they didn’t need in the first place.
The catch is that doing this at scale, across multiple client environments with different configurations and user populations, requires tooling that was designed with that kind of deployment in mind. A solution that works fine for a single organization can become unwieldy when an MSP is trying to manage it across thirty clients from a single portal.
Getting It Right
MSPs that take privilege management seriously tend to get ahead of these problems with a combination of the right tooling and consistent enforcement: technicians authenticating as individuals rather than sharing credentials, just-in-time access for both local elevation and remote sessions, automatic expiry, and audit-ready reporting that satisfies client compliance requirements without a manual evidence-gathering process every time an auditor comes calling.
Admin By Request’s EPM solution handles the endpoint side of that. It removes standing admin rights and replaces them with audited, policy-driven elevation across Windows, macOS, and Linux, covering both the MSP’s own technicians and the end users across their client environments.
Secure Remote Access handles the remote side, providing browser-based, just-in-time connections to client systems without persistent VPN tunnels or exposed ports. No shared credentials, no standing access, and a full session recording for every connection.
Both solutions are available on a free plan for up to 25 endpoints, or you can book a demo to see how they work together across a multi-client environment.
